<div dir="ltr">AFAIK there is a getent() function in syslog-ng-incubator for the port -> protocol translation.</div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-12 17:15 GMT+01:00 Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>I would suggest to do this mapping _after_ the db-parser() stuff, e.g. I would use db-parser _only_ to extract name-value pairs and then do mappings from syslog-ng configuration file:<br><br></div>parser { <br></div> channel {<br></div> parser { db-parser(); };<br></div> rewrite { set("telnet" value("LOCALPORT") condition("${LOCALPORT}" == "23"))); };<br> rewrite { set("ssh" value("LOCALPORT") condition("${LOCALPORT}" == "22"))); };<br> };<br><div><div><div>};<br><br></div><div>We would definitely need to improve the syntax in the rewrite portion though, and I am willing to invest some efforts in that direction. <br><br></div><div>My point really is that db-parser() should be used for extraction, the rest of the syntax language for munging/mapping.<br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote"><div><div class="h5">On Tue, Jan 12, 2016 at 4:47 PM, Fabien Wernli <span dir="ltr"><<a href="mailto:wernli@in2p3.fr" target="_blank">wernli@in2p3.fr</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Hi Mark,<br>
<br>
You can use template functions in patterndb [1].<br>
The idea is to add a value to the matched message, which contains the result<br>
of a template function. You could for instance use the "if" function:<br>
<br>
<values><br>
<value name="svc">$(if ("${port}" == "22") "ssh" "telnet")</value><br>
</values><br>
<br>
If you need anything more complex, and if you are using the 3.7.x series,<br>
you could even use a python script using the "python" template function.<br>
<br>
Cheers<br>
<br>
[1] <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions" rel="noreferrer" target="_blank">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html#reference-template-functions</a><br>
<br>
<br></div></div>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>